FEATURE: ithome-02 provision aws organization and accounts

accounts.json

@@ -0,0 +1,8 @@
+{
+  "dev": "",
+  "logs": "",
+  "prod": "",
+  "security": "",
+  "shared": "",
+  "stage": ""
+}

common.hcl

@@ -0,0 +1,15 @@
+locals {
+  # TODO: Enter a unique name prefix to set for all resources created in your accounts, e.g., your org name.
+  name_prefix = "chechia"
+  # TODO: Enter the default AWS region, the same as where the terraform state S3 bucket is currently provisioned.
+  default_region = "ap-northeast-1"
+
+  # TODO: Fill these in after applying the account-baseline-root to the root account.
+  config_s3_bucket_name      = ""
+  cloudtrail_s3_bucket_name  = ""
+  cloudtrail_kms_key_arn     = ""
+
+  # TODO: An accounts map to conveniently store all account IDs.
+  # Centrally define all the AWS account IDs. We use JSON so that it can be readily parsed outside of Terraform.
+  accounts = jsondecode(file("accounts.json"))
+}

dev/_global/region.hcl

@@ -0,0 +1,5 @@
+# Modules in the account _global folder don't live in any specific AWS region, but you still have to send the API calls
+# to _some_ AWS region, so here we use the default region for those API calls.
+locals {
+  aws_region = read_terragrunt_config(find_in_parent_folders("common.hcl")).locals.default_region
+}

dev/account.hcl

@@ -0,0 +1,7 @@
+locals {
+  # TODO: Update with the actual information of each account
+  # The user friendly name of the AWS account. Usually matches the folder name.
+  account_name = basename(get_terragrunt_dir())
+  # The 12 digit ID number of your AWS account.
+  account_id = ""
+}

dev/ap-northeast-1/region.hcl

@@ -0,0 +1,4 @@
+locals {
+# TODO: Enter the region to use for all resources in this subfolder.
+  aws_region = basename(get_terragrunt_dir())
+}

logs/_global/region.hcl

@@ -0,0 +1,5 @@
+# Modules in the account _global folder don't live in any specific AWS region, but you still have to send the API calls
+# to _some_ AWS region, so here we use the default region for those API calls.
+locals {
+  aws_region = read_terragrunt_config(find_in_parent_folders("common.hcl")).locals.default_region
+}

logs/account.hcl

@@ -0,0 +1,7 @@
+locals {
+  # TODO: Update with the actual information of each account
+  # The user friendly name of the AWS account. Usually matches the folder name.
+  account_name = basename(get_terragrunt_dir())
+  # The 12 digit ID number of your AWS account.
+  account_id = ""
+}

logs/ap-northeast-1/region.hcl

@@ -0,0 +1,4 @@
+locals {
+# TODO: Enter the region to use for all resources in this subfolder.
+  aws_region = basename(get_terragrunt_dir())
+}

prod/_global/region.hcl

@@ -0,0 +1,5 @@
+# Modules in the account _global folder don't live in any specific AWS region, but you still have to send the API calls
+# to _some_ AWS region, so here we use the default region for those API calls.
+locals {
+  aws_region = read_terragrunt_config(find_in_parent_folders("common.hcl")).locals.default_region
+}

prod/account.hcl

@@ -0,0 +1,7 @@
+locals {
+  # TODO: Update with the actual information of each account
+  # The user friendly name of the AWS account. Usually matches the folder name.
+  account_name = basename(get_terragrunt_dir())
+  # The 12 digit ID number of your AWS account.
+  account_id = ""
+}

prod/ap-northeast-1/region.hcl

@@ -0,0 +1,4 @@
+locals {
+# TODO: Enter the region to use for all resources in this subfolder.
+  aws_region = basename(get_terragrunt_dir())
+}

root/_global/account-baseline/terragrunt.hcl

@@ -0,0 +1,68 @@
+terraform {
+  source = "git::https://github.com/chechiachang/terragrunt-infrastructure-modules.git//aws/modules/account-baseline-root?ref=v0.0.1"
+
+  # This module deploys some resources (e.g., AWS Config) across all AWS regions, each of which needs its own provider,
+  # which in Terraform means a separate process. To avoid all these processes thrashing the CPU, which leads to network
+  # connectivity issues, we limit the parallelism here.
+  extra_arguments "parallelism" {
+    commands  = get_terraform_commands_that_need_parallelism()
+    arguments = ["-parallelism=2"]
+  }
+}
+
+include {
+  path = find_in_parent_folders()
+}
+
+inputs = {
+  # If you've already created an AWS Organization in your root account, you'll be able to import it later in this guide
+  create_organization = true
+
+  # The child AWS accounts to create in this AWS organization
+  child_accounts = {
+    logs = {
+      email = "root-accounts+logs@chechia.net"
+
+      # Mark this account as the logs account, used to aggregate all AWS Config and CloudTrail data.
+      is_logs_account = true
+    },
+    security = {
+      email = "root-accounts+security@chechia.net"
+    },
+    shared = {
+      email = "root-accounts+shared@chechia.net"
+    },
+    dev = {
+      email = "root-accounts+dev@chechia.net"
+    },
+    stage = {
+      email = "root-accounts+stage@chechia.net"
+    },
+    prod = {
+      email = "root-accounts+prod@chechia.net"
+    },
+    test = {
+      email = "chechiachang999+terraform-test@gmail.com"
+    }
+  }
+
+  # The IAM users to create in this account. Since this is the root account, you should only create IAM users for a
+  # small handful of trusted admins.
+  #
+  # NOTE: Make sure to include the IAM user you created manually here! We'll import the user into Terraform state in
+  # the next step of this guide, allowing you to manage this user as code going forward.
+  users = {
+    alice = {
+      groups               = ["full-access"]
+      pgp_key              = "keybase:alice"
+      create_login_profile = true
+      create_access_keys   = false
+    },
+    bob = {
+      groups               = ["billing"]
+      pgp_key              = "keybase:bob"
+      create_login_profile = true
+      create_access_keys   = false
+    }
+  }
+}

root/_global/region.hcl

@@ -0,0 +1,5 @@
+# Modules in the account _global folder don't live in any specific AWS region, but you still have to send the API calls
+# to _some_ AWS region, so here we use the default region for those API calls.
+locals {
+  aws_region = read_terragrunt_config(find_in_parent_folders("common.hcl")).locals.default_region
+}

root/account.hcl

@@ -0,0 +1,7 @@
+locals {
+  # TODO: Update with the actual information of each account
+  # The user friendly name of the AWS account. Usually matches the folder name.
+  account_name = basename(get_terragrunt_dir())
+  # The 12 digit ID number of your AWS account.
+  account_id = "706136188012"
+}

root/ap-northeast-1/region.hcl

@@ -0,0 +1,4 @@
+locals {
+# TODO: Enter the region to use for all resources in this subfolder.
+  aws_region = basename(get_terragrunt_dir())
+}

security/_global/region.hcl

@@ -0,0 +1,5 @@
+# Modules in the account _global folder don't live in any specific AWS region, but you still have to send the API calls
+# to _some_ AWS region, so here we use the default region for those API calls.
+locals {
+  aws_region = read_terragrunt_config(find_in_parent_folders("common.hcl")).locals.default_region
+}

security/account.hcl

@@ -0,0 +1,7 @@
+locals {
+  # TODO: Update with the actual information of each account
+  # The user friendly name of the AWS account. Usually matches the folder name.
+  account_name = basename(get_terragrunt_dir())
+  # The 12 digit ID number of your AWS account.
+  account_id = ""
+}

security/ap-northeast-1/region.hcl

@@ -0,0 +1,4 @@
+locals {
+# TODO: Enter the region to use for all resources in this subfolder.
+  aws_region = basename(get_terragrunt_dir())
+}

shared/_global/region.hcl

@@ -0,0 +1,5 @@
+# Modules in the account _global folder don't live in any specific AWS region, but you still have to send the API calls
+# to _some_ AWS region, so here we use the default region for those API calls.
+locals {
+  aws_region = read_terragrunt_config(find_in_parent_folders("common.hcl")).locals.default_region
+}

shared/account.hcl

@@ -0,0 +1,7 @@
+locals {
+  # TODO: Update with the actual information of each account
+  # The user friendly name of the AWS account. Usually matches the folder name.
+  account_name = basename(get_terragrunt_dir())
+  # The 12 digit ID number of your AWS account.
+  account_id = ""
+}

shared/ap-northeast-1/region.hcl

@@ -0,0 +1,4 @@
+locals {
+# TODO: Enter the region to use for all resources in this subfolder.
+  aws_region = basename(get_terragrunt_dir())
+}

stag/_global/region.hcl

@@ -0,0 +1,5 @@
+# Modules in the account _global folder don't live in any specific AWS region, but you still have to send the API calls
+# to _some_ AWS region, so here we use the default region for those API calls.
+locals {
+  aws_region = read_terragrunt_config(find_in_parent_folders("common.hcl")).locals.default_region
+}

stag/account.hcl

@@ -0,0 +1,7 @@
+locals {
+  # TODO: Update with the actual information of each account
+  # The user friendly name of the AWS account. Usually matches the folder name.
+  account_name = basename(get_terragrunt_dir())
+  # The 12 digit ID number of your AWS account.
+  account_id = ""
+}

stag/ap-northeast-1/region.hcl

@@ -0,0 +1,4 @@
+locals {
+# TODO: Enter the region to use for all resources in this subfolder.
+  aws_region = basename(get_terragrunt_dir())
+}

terragrunt.hcl

@@ -0,0 +1,63 @@
+# -----------------------------------------------------------------------------
+# TERRAGRUNT CONFIGURATION
+# -----------------------------------------------------------------------------
+
+locals {
+  common_vars  = read_terragrunt_config(find_in_parent_folders("common.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  region_vars  = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+
+  name_prefix    = local.common_vars.locals.name_prefix
+  account_name   = local.account_vars.locals.account_name
+  account_id     = local.account_vars.locals.account_id
+  default_region = local.common_vars.locals.default_region
+  //aws_region     = local.region_vars.["aws_region"]
+  aws_region     = local.region_vars.locals.aws_region
+}
+
+# -----------------------------------------------------------------------------
+# GENERATED PROVIDER BLOCK
+# -----------------------------------------------------------------------------
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  region = "${local.aws_region}"
+  #version = ">= 3.13.0"
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# -----------------------------------------------------------------------------
+# GENERATED REMOTE STATE BLOCK
+# -----------------------------------------------------------------------------
+
+remote_state {
+  backend = "s3"
+  generate = {
+    path      = "backend.tf"
+    if_exists = "overwrite_terragrunt"
+  }
+  config = {
+    encrypt        = true
+    bucket         = "${local.name_prefix}-${local.account_name}-${local.aws_region}-terraform-state"
+    key            = "${path_relative_to_include()}/terraform.tfstate"
+    region         = local.default_region
+    dynamodb_table = "terraform-locks"
+  }
+}
+
+# -----------------------------------------------------------------------------
+# GLOBAL PARAMETERS
+# -----------------------------------------------------------------------------
+
+inputs = {
+  # Set commonly used inputs globally to keep child terragrunt.hcl files DRY
+  aws_account_id = local.account_id
+  aws_region     = local.aws_region
+  name_prefix    = local.name_prefix
+}